Chinese Cybercriminals Take Advantage of Undisclosed Cisco Switch Vulnerability to Attain System Control

AndyC 23 August 2024

August 22, 2024Ravie LakshmananNetwork Security / Zero-Day

Information has surfaced about a Chinese hacker group’s manipulation of a recently exposed, now fixed vulnerability in Cisco switches as a zero-day vulnerability to attain authority

Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control

August 22, 2024Ravie LakshmananNetwork Security / Zero-Day

Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control

Information has surfaced about a Chinese hacker group’s manipulation of a recently exposed, now fixed vulnerability in Cisco switches as a zero-day vulnerability to attain authority over the device and avoid detection.

The operation, credited to Velvet Ant, was identified earlier this year and involved the exploitation of CVE-2024-20399 (CVSS score: 6.0) to distribute customized malware and acquire complete control over the compromised system, which allowed for both stealing data and maintaining continuous access.

“The zero-day exploit enables a hacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and run arbitrary commands on the Linux underlying operating system,” cybersecurity firm Sygnia stated in a report shared with The Hacker News.

Cybersecurity

Velvet Ant initially attracted the attention of experts at an Israeli cybersecurity corporation concerning a prolonged campaign targeting an undisclosed organization in East Asia by leveraging outdated F5 BIG-IP appliances to establish persistence in the compromised environment.

The operational conduct of the threat actor exploiting CVE-2024-20399 was revealed early last month, leading Cisco to publish security updates to eliminate the vulnerability.

Chinese Hackers

Among the strategies, the group’s noteworthy approach is the level of complexity and adaptive methods used, initially infiltrating fresh Windows systems and then moving to outdated Windows servers and network devices in an effort to remain inconspicuous.

“The shift to operating from internal network devices signifies a further escalation in the evasion methodologies employed to ensure the espionage campaign’s continuity,” Sygnia added.

The latest attack sequence involves breaching a Cisco switch appliance via CVE-2024-20399 and conducting surveillance tasks, later transitioning to other network devices and ultimately executing a backdoor binary using a malicious script.

Cybersecurity

The payload, named VELVETSHELL, is a fusion of two open-source utilities, a Unix backdoor labeled Tiny SHell and a proxy tool known as 3proxy. It also enables the execution of arbitrary commands, file download/upload, and the establishment of network traffic proxy tunnels.

“The approach of ‘Velvet Ant’ raises concerns and uncertainties regarding third-party appliances and applications that organizations adopt,” the firm noted. “Due to the ‘black box’ nature of many appliances, each piece of hardware or software could potentially become the attack vector exploited by an adversary.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

AndyC 19 December 2025

You may have missed

Amazon Warns Perncious Fake North Korea IT Worker Threat Has Become Widespread

Randall Munroe’s XKCD ‘Fifteen Years’

AndyC 20 December 2025
Why AppSec Can’t Keep Up With AI-Generated Code

Google Shutting Down Dark Web Report Met with Mixed Reactions

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.